Other Solutions

Published

28 Dec 05:31

Last Push

29 Dec 09:45

Marketplace Rating

Discussion

2
Comments

Readme from Github

Secure log collection from DMZ

The steps outlined below will demonstrate how to securely transmit logs from the DMZ to an internal Graylog server. This method uses TLS to encrypt all communication and does not require any new inbound rules on the firewall. In my examples I will be using Windows based servers and clients.

Dataflow

NXLog collects windows eventlogs from clients in the DMZ

NXLog coverts log data to JSON

NXLog sends log data to Logstash via encrypted TLS connection

Logstash send data to RabbitMQ

Graylog retrieves data from RabbitMQ

Graylog extracts data from JSON

We will be using the following servers in this example:

dmzserver - existing server you wish to collect logs from

dmzlogserver - new server you will build to host Logstash and RabbitMQ in the DMZ

graylogserver - existing Graylog server you wish to deliver the logs to

Build new windows log server

Minimum Hardware Requirements:

1 Ghz CPU

2 GB RAM

40 GB Drive

Standard Windows Server install.

This computer does not need to be joined to the domain.

Generate certificates and keys for NXLog/Logstash

Note: I ran the following on a Linux computer that already had certtools installed. If you're planning to run them in Windows you'll need to download the tools here

# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key
# Whether this certificate will be used for a TLS client
tls_www_server
expiration_days = 3650

Your Rating

Comments

m0ps
over 2 years
ago

Pastebin preformatted config - http://pastebin.com/iHpm0Dty

m0ps
over 2 years
ago

nxlog.conf example for linux:

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally under
## /usr/share/doc/nxlog-ce/ and is also available online at
## http://nxlog.org/docs